Archive

Archive for the ‘Security’ Category

#33C3 – my “must have”-sessions

December 27, 2016 Leave a comment

Like every year, there’s the annual Chaos Communication Congress taking place to cover the dead week between Christmas and new year. I was taking a look onto the schedule to identify my „must have“-sessions. These are:

As every year, I’ll spend my rare time with my family back home, but i’ll try to catch at least a couple of my „must have“-sessions via livestreams. Once the event is over, i’ll download all my sessions to watch them offline during hotel nights.

The full schedule can be found here: https://fahrplan.events.ccc.de/congress/2016/Fahrplan/schedule.html
Live stream will be available here: https://streaming.media.ccc.de/33c3
Downloads will be available here: https://media.ccc.de/c/33c3

All of you onsite: have a great event. 

[Update: 01.01.2017]
I’ve added the URLs of the recordings to the list of my „must have“-sessions. But i’ll download all of the sessions to watch them bit by bit. I’ll take the one or other talk to dig into it a little deeper, and posting my thoughts about it.

Dell One Identity Manager 7.0 Rollup Package 1 released

November 2, 2015 Leave a comment

Dell Software just released the first rollup package for Dell One Identity Manager 7.0 which comes with a bunch of resolved issues as well as a couple of cool new features. Features i’ve been waiting for due to customer issues:

  • Support for encrypted emails using TLS, S/MIME and PGP
  • Reading and Assigning SAP security policies
  • Support for Powershell v3 and later
  • Transport of UNSRoot definitions including all necessary settings
  • applied sort order of change labels during transports
  • support for transporting Compliance Rules

But there are a couple of additional cool features included as well:
The REST API was extended to support additional capabilities such as calling methods, scripts, customizer methods and events as well as support for different collection load types. This makes the REST API a bigger part in the upcoming API economy in IAM / IAG. There have been some additional SAP HCM info types added to make the SAP HCM sync more powerful and to avoid additional programming effort.

The rollup package is currently available through Dell Support, not yet on the download page.

Seems like i have to use a night in the hotel to upgrade my testing environment this week. 

Categories: D1IM, IAG, IAM, IDM, Security, Tools

Current Security Nightmares

February 10, 2015 Leave a comment

What’s going on out there in the networks in the last couple of days? We had a strange hack into a US health insurance provider exposing tens of millions of SSNs and addresses, a temporary shutdown of a online tax service due to identity theft fraud, a database security issue that came up just by accident using a search engine and finally today there was high level politician dumping emails containing personal information of residents of a US state.

Diving just in two of those security issues with some more detail:

The database issue I mentioned does affect MongoDB, a popular NoSQL database system. Three students just ran over round about 40.000 open MongoDB databases, containing sensitive information up to credit card information, names and email addresses. Anyone might wonder how that could have happen: by just using default configuration values without checking them.

noauth
    Default: true
    Disable authentication. Currently the default. Exists for future compatibility and clarity.
    For consistency use the auth option.

So it’s default to disable authentication? For future compatibility? Seriously? Wait… let’s check the auth option for consistency reasons…

auth
    Default: false
    Set to true to enable database authentication for users connecting from remote hosts. Configure users via the mongo shell. If no users exist, the localhost interface will continue to have access to the database until you create the first user.

Yeah… great… Authentication is disabled by default… Pretty consistent…

Source for both: Configuration File Option – MongoDB Manual 2.2.7

Whoever did that decision, I won’t be in his position right now. We’ll see how long it might take until both options are flipped with their default configuration. The conclusion should be: the more you trust a product, the more you should focus on the default configuration before going into production. Spending too much trust in a vendor / community just because you’re a “fan” of the tool will put you at risk if you loose the insight on the configuration options.

The second issue I’d like to dive into is a US politician and potential presidential candidate just dumping emails containing sensitive data of Florida state residents. He just approached to shed some transparency into his work by posting emails he exchanged with residents of the state of Florida. Unfortunately he and his team did not redact the emails before. So he just dumped emails containing SSNs, clear text names and even emails with the following text add-on:

Confidential communications intended for indicated recipient only

Just keeping in mind that this guy might be a future president of the United States of America, trying to rule the world I’m getting worried and afraid. Guys like him are deciding on rules affecting hundreds of million of people without having the touch of a sense in how to deal with their residents data. Is that the future we’re moving into? I don’t hope so. It should be mandatory for politicians to have a brief understanding of privacy, data security, encryption and the way how to deal with sensitive information. I’m really upset right now…

Categories: Privacy, Security

Biometry is broken

January 28, 2015 Leave a comment

From what we’ve seen during 31C3, biometry is broken. It’s not just broken if we do try to get the fingerprints of a potential victim by extracting them from whatever our victim might have touched before using forensic methods. With what we’ve seen during the talk given by starbug (http://media.ccc.de/browse/congress/2014/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug.html#video – attention: the talk was given in german), the physical barrier is broken. There is no more need to save a glass that was touched by our victim. The fingerprint can be restored using a photograph of the fingertips of our victim that has a certain quality.

During his talk, starbug already gave some insight on what might be next: 4K video. I’m curious about what he might come up for the next congress. Maybe he’s already working on extracting fingerprints from 4K videos.

So you might wanna say fingerprints are broken, what about other biometric factors. Let’s try to run them through:

  • fingerprints – broken
  • retina scans – broken (at least if the quality of the picture is good enough)
  • face scans – broken (as shown in the video)
  • heart beat – not broken yet
    So let’s keep up with what’s left on the list: heart beat. There was a startup showing up with the idea of a wristband using your unique heart beat signature as a identification token. Sounds pretty cool so far. But here it comes: I’ve been talking to different people about two different approaches that might break this as well.
    The first approach (although is much more theoretical and does have a moral and ethical impact) I’ve been discussing with a doctor. In the end she told me, that it would be possible to use a pacemaker to re-program a individuals heart beat. It has not been done before, but it’s possible.

The second approach I was talking to a guy working in device security for quite a while. From his expertise, it shouldn’t be the biggest deal to set up the specific electric signal that will look like a valid heart beat to the device.

So from where we are right now, there are only two conclusions:

  1. Don’t trust in biometrics as a single source of identification. They might be used in combination with other forms of authentication, but never ever alone.
  2. Biometric devices need to get better. The need to be able to determine if they are scanning a print version of the fingerprint, face or retina or if the are scanning a real human being. This will raise prices for devices.
Categories: IAM, Identity, Privacy, Security

Deactivating RC4 in mainstream browsers

January 6, 2014 Leave a comment

Although for IT guys this is pretty much well known, but with all the revelations of the last weeks and months, some sort of security awareness grew within the crowd of non-IT people. So over christmas i was asked by several people out of my family on how to disable insecure encryption from their browsers as they learned that most of the browsers still use an outdated encryption algorithm: RC4

So while assisting members of my family or non-IT friends in securing their systems with these little steps, i did came across a bunch of mainstream browsers i’d like to share the necessary settings to deactivate RC4.

Unfortunately i’ve not found any way to disable RC4 ciphers in Safari. So if someone has a hint, please let me know through the comments and i’ll add it to the post.

Firefox

If you’re using Firefox like i do, open a new firefox session (a new window or tab) and type the URL about:config into the address bar. You should see a warning page appearing, telling you that everything beyond that will be out of warranty. Klick the button acknowledging that you’ll be careful. You should see a window looking pretty much like this (of course in your configured language).

Firefox - about:config

The really good thing here: the name of the keys are english anyways, so there’s no way to miss the keys we’re looking for.

Within the search box type „RC4“. Your list should reduce automatically to six keys:

Firefox RC4 1

 Flip all of them from their standard configuration true to a custom configuration false by double clicking them. Firefox will bold them automatically as soon as you’ve changed them which is a good verifier. By closing the window or tab your Firefox is no longer using RC4 and you’re just a bit more secure.

Internet Explorer

If you’re using Microsoft Internet Explorer, you’ve to tweak your registry. Therefor you have to create the following keys in the hive „HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CIPHERS“ using a registry editor and setting and DWORD value called „ENABLED“ with the value of 00000000:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
There also should be an update that’s about to disable the weak RC4 encryption on windows systems but sometimes it’s better to double things up.
 
Chrome / Chromium
 
If you’re using Chrome or Chromium you’ve to add the the RC4 ciphers that should be deactivated as a blacklist in the command line that is starting your browser. The odd part about this: there is no documentation about that. Everything has to be looked up in the code (which is open). So your new command line will look like this:
 

chromium-browser –cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83

 Opera
 
I’ve not found anything reg. RC4 in the settings of Opera. Searching the Internet just brought up that you’re increasing your security by disabling anything using MD5 in Opera (potentially causing some issues with pages offering MD5 only) by using the extended menu, security options, security protocoly, details and disabling all MD5 based methods. 
Attention: i’ve not tested this one on my own so please be careful.
 
Last but not least
 
Last but not least i’d like to share a link to check which ciphers are leveraged by you’re browser of choice: https://cc.dcsec.uni-hannover.de
Categories: Encryption, Security

Biometric authentication approaches

September 25, 2013 Leave a comment

Apple recently released their iPhone 5s with an fingerprint sensor as an replacement to the typical 4 digit pin code. As it was expected by the majority of people in the security space, it only took a few days until the biometry team at CCC (Chaos Computer Club) were able to fake a fingerprint to unlock an iPhone 5s. The article can be found here (german) and here (english). If you’re not willing to read, here is the initial video, which was re-done based upon request of http://istouchidhackedyet.com, which is available here.

So what does that mean for biometric authentication?
Although we’re in total agreement that passwords must die, the security features looking promising at first glance did turn out to be just cheap hardware being able to be compromised by just increasing the scanning resolution. Biometrics might be a way to get away from passwords, but not with simple and easy hardware.As the fingerprint sensor was meant to replace the typical 4 digit pin code, this might just have been the first step. But just imagine the impact if the necessary would have been open so far application developers leveraging this technology? In case, your mobile banking account would be open to an attacker easier than before, your credit card data out of the AppStore and so on. So the CCC hack would be the initial (and not very complicated step) to an complete identity theft.

Another approach was taken by the inventors of nymi. They are trying to capture something unique, your heartbeat. But your heartbeat is just a single component of an 3-factor authentication: you’ll need your heartbeat (pretty hard to loose), your nymi device and your authorized authentication device (nymi does call that AAD) like a smartphone, tablet or whatever.. So even if you’d loose your smartphone and someone gets your nymi device, they’re still missing the 3rd component.

But nymi still offers an attack vector from my understanding: the nymi device is using bluetooth to communicate with your AAD, so there is some potential in hijacking the bluetooth connection and all information that is being exchanged via bluetooth.

Looking at the nymi approach, there’s only one conclusion: biometrics itself will not replace passwords (not as long as the devices like fingerprint readers are that weak that they are not able to do an deep scan to distinguish an faked fingerprint) on their own. Biometrics will be part of the multi-factor authentication as replacement for passwords. A good idea might be a combination of the nymi approach with fingerprints: a fingerprint sensor that is able not only to read the skin-deep fingerprint but also the pulse running through the finger. This combination can not be faked at all. And with all paranoia, it does allow certain scenarios: while your left thumb in combination with your heartbeat just enables you to unlock your device, while your right middle finger in combination with your heartbeat and a security code or external token might authenticate you into your corporate network when using private devices as part of an BYOD strategy. Additionally this combination would remove the bluetooth attack vector that is still open with the nymi approach so it would need a physical device hack to intercept the information.

One question is still circling in my head, maybe someone is able to answer that: what happens to your heartbeat in case of an myocardial infarcation or in case you’re getting shocked due to an medical emergency: will such happening influence your heartbeat and potentially destroy your access token?

Categories: IAM, Mobility, Privacy, Security

Passwords must die – we’re on the way

Since several months and identity related conferences there is one hot topic still ongoing and represented as an popular hashtag within the IAM crowd (some call them / us identirati): #PasswordsMustDie

I already did spent some time in march blogging some lines on #PasswordsMustDie in the article “Passwords must die – but how”. And over the past weeks i was spending some time to look around on various plates to see, how it’s going on the way to kill passwords. There’s a bunch of news in that space that i’d like to wrap up pretty quick.

The FIDO alliance

The FIDO alliance (FIDO stands for Fast IDentity Online) was formed as an non-profit organization in summer 2012 to change the nature of user authentication. Some very known names being members in the FIDO alliance are:

  • Google
  • Lenovo
  • PayPal
  • PingIdentity
The alliance is still growing, making it’s way to bring a FIDO plugin supporting various FIDO authenticators, such as hardware based tokens, finger prints, voice identification as well as combinations of those differentiating those into two kinds of  tokens:
  1. Identification tokens as unique identifiers being associated with an online identity
  2. Authentication tokens for identity proofing

Mozilla Persona

In April 2013, the Mozilla Identity team announced the second beta of Persona as an simple way to login to various services and web sites using any modern internet browser. Their simple goal: Eliminate passwords on the web. Although the base of services and web sites is still small, i do expect them to grow their services base over the months.

 

Both, the FIDO alliance as well as Mozilla Persona do show that there is something going on to kill passwords. These initiatives will see a major boost in usage as soon as some bigger services start supporting their technology and approach. As long as services like Twitter and LinkedIn just enable their users to use two factor authentication as as result due to various security incidents, there is still some password usage although it’s just a single part of authentication. Let’s see what’s the first popular service starting to use such technologies as offered by FIDO or Mozilla, we might see some real security improvements.

Categories: Cloud, IAG, IAM, Identity, Security, Strategy